Gamarue Malware Goes to Germany

The hotel booking spam recently reported has made its way into German users’ inboxes. The email purporting to be from one of the Brenners Park-Hotel and Spa in Austria has a similar theme to its English counterpart as it contains confirmation and details on an alleged booking reservation.

The email sample above was sent to a personal email address of one of Trend Micro’s managers. He almost fell for it, given that he travels a lot – until he noticed the address of the hotel.

It’s too bad the spammers aren’t as good with geography as making spam: the actual Brenners Park-Hotel and Spa is in Baden-Baden Germany and not in Austria. While he was initially looking forward to attending the hotel, having read the excellent reviews on TripAdvisor, the email made it clear that this was, unfortunately, a scam. Good thing though, the attachment was already flagged and detected by Trend Micro as BKDR_ANDROM.P.

Technical Details: Network

The payload (email attachment) is a variant of the Gamarue/Andromeda bot that connects to any of the 6 C&C servers below. A typical Andromeda bot limits the number of domains to 6:

http://{BLOCKED}dia.pl/image.php

http://{BLOCKED}e.pl/image.php

http://{BLOCKED}ke.ru/image.php

http://{BLOCKED}e.pl/image.php

http://{BLOCKED}rm.ru/image.php

http://{BLOCKED{ve.com/image.php

These are all fast-flux domains and with the exception of {BLOCKED}dia.pl, the rest of the servers seem to be offline/inactive. Initial communication is established by sending an encrypted POST request to the server.

A decrypted message would include the volume serial ID (which also acts as a decryption key), OS version, bot ID and socket name. In the image above, the server replied with a link to download one of its plugins r.pack. The domain hosting the file seems to be a compromised Australian health site.

Further investigation showed that {BLOCKED}dia.pl shared an IP address with other .pl domains and some of them were known servers of other botnets. All of these were registered under:

Considering the high cost of acquiring and maintaining a “.pl” domain from DomainSilver, we are wondering why there are a slew of bad domains under this registrar.This is possibly because these domains have been operated by the same bad actor or the administrator of this registrar is simply not that strict on abuse.

Trend Micro contacted our friends in CERT.PL who were very quick in taking down the {BLOCKED}dia.pl domain, so it is now also inactive.

Technical Details: Malware

The tool/bot used in this spam run is Gamarue or Andromeda (the bot’s actual name). Like the major bots in the market, Gamarue is modularized and buyers can opt to encrypt/protect their bots by using available crypting services. In this instance, the malware is encrypted to prevent it from running in a sandboxed/debugged environment by using several anti-VM techniques, which includes checking the CPU cycles, disk names, and running processes.

It also works in a 32-bit as well as a 64-bit Windows environment from Windows XP to Windows 7. The environment is determined by calling the isWow64Process API and the processes the file can be injected to the following:

%System%\wuauclt.exe – 32-bit

%Windows%\SysWOW64\svchost.exe – 64-bit

Aside from downloading files, this module is also capable of modifying registries, executing files and connecting to other URLs.

Technical Details: Infection

Given the obvious connection to Germany and Australia, it isn’t hard to guess that they were the most affected by this spam run. The graph below depicts the region/countries affected by this spam.

Trend Micro Smart Protection Network already blocks the related domains and links, as well as block the particular email from even reaching users’ inboxes. It also detects and deletes the files as BKDR_ANDROM.P.

With additional analysis from Feike Hacquebord and Robert Mcardle

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: